hunt-lateral-movement
Hunt for lateral movement using PsExec, WMI, or similar techniques. Use when proactively searching for attackers moving through your network using admin tools. Searches for service installations, remote process execution, and suspicious network correlations.
96
96%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific techniques and actions, uses natural security analyst terminology, explicitly states both capabilities and trigger conditions, and carves out a distinct niche in threat hunting for lateral movement.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Hunt for lateral movement', 'service installations', 'remote process execution', and 'suspicious network correlations'. Also names specific techniques (PsExec, WMI). | 3 / 3 |
Completeness | Clearly answers both what ('Hunt for lateral movement... Searches for service installations, remote process execution, and suspicious network correlations') and when ('Use when proactively searching for attackers moving through your network using admin tools'). | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'lateral movement', 'PsExec', 'WMI', 'admin tools', 'service installations', 'remote process execution', 'network correlations'. These are terms security analysts naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on lateral movement detection with distinct triggers (PsExec, WMI, service installations). Unlikely to conflict with general security or network monitoring skills due to the specific attack technique focus. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality threat hunting skill with excellent actionability and workflow clarity. The UDM queries are concrete and executable, the workflow is well-sequenced with clear decision points and escalation paths, and the required outputs table ensures accountability. Minor improvement could come from extracting the detailed query library to a separate reference file for better progressive disclosure.
Suggestions
Consider moving the detailed UDM query examples to a separate QUERIES.md file, keeping only 1-2 representative examples inline with references to the full library
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, providing only necessary information without explaining concepts Claude already knows. Tables and code blocks are used effectively to convey information densely. | 3 / 3 |
Actionability | Provides fully executable UDM queries, specific MCP tool calls, and concrete examples. The placeholder table clearly explains what needs customization, and queries are copy-paste ready. | 3 / 3 |
Workflow Clarity | Clear 8-step sequence with logical progression from research through documentation. Includes explicit decision points ('If suspicious activity found'), escalation triggers, and cross-references to related skills for follow-on actions. | 3 / 3 |
Progressive Disclosure | Well-organized with clear sections and tables, but the skill is somewhat long and could benefit from splitting detailed query examples into a separate reference file. The inline query library makes the main workflow harder to scan. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.